none
SignatureVerificationFailedException processing unsigned SAML AuthnRequest RRS feed

  • Question

  • I am attempting to integrate a web application that I'm responsible for with ADFS using SAML. I have previously successfully integrated this application with several other SAML IdPs, include Azure AD. I've set up Windows Server 2016 and ADFS in my dev environment and created a Relying Party Trust for my application. When I do an SP-initiated sign-in and the user gets redirected to ADFS (with the AuthnRequest in the redirect request URL), ADFS rejects the request, with this showing up in the ADFS log:

    Encountered error during federation passive request. 
    
    Additional Data 
    
    Protocol Name: 
    Saml 
    
    Relying Party: 
    com.onshape.saml2.sp 
    
    Exception details: 
    Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: MSIS0037: No signature verification certificate found for issuer 'com.onshape.saml2.sp'.
       at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
    
    

    The AuthnRequest is unsigned and I previously did:

    Set-AdfsRelyingPartyTrust -SignedSamlRequestsRequired $False 
    

    so I don't understand why ADFS is rejecting the request.

    FWIW, the (decoded) request looks like this:

    <?xml version="1.0" encoding="UTF-8"?>
    <saml2p:AuthnRequest
        xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
        AssertionConsumerServiceURL="http://localhost.dev.onshape.com:8082/identity/saml2/sso"
        Destination="https://adfs.nmishkin.com/adfs/ls/"
        ForceAuthn="false"
        ID="a49ae29dec9631aa2ai1dad79heahef"
        IsPassive="false"
        IssueInstant="2019-07-10T19:26:36.860Z"
        ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        Version="2.0">
      <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">com.onshape.saml2.sp</saml2:Issuer>
    </saml2p:AuthnRequest>
    

    Any ideas what the problem is?

    Nat




    Thursday, July 11, 2019 4:23 PM

All replies

  • I had the same problem just this week as well. We could do IDP initiated sign-on but not SP initiated (got the same error as you even after running the same PowerShell) The problem turned out to be that when the app was doing SP initiated sign-on, it was still adding a signature at the HTTP request level to the SAML request. After not much help from the vendor we tried adding the HTTPS cert of the application as the signing cert of the RP in ADFS and it finally worked. Hope this at least helps give you another place to investigateScreenshot of SAML signature at HTTP request level
    Wednesday, July 17, 2019 5:07 PM